Individuals

Collection, Use, & Disclosure

Organisations must obtain your consent to the collection, use or disclosure of your personal data, unless any exception under the PDPA applies. You may refer to the Second, Third and Fourth Schedules of the PDPA for a list of exceptions. You should also be notified of the purposes for the collection, use and disclosure of your personal data.

In this regard, organisations shall not, as a condition of supplying a product or service, require you to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide the product or service. For example, an organisation that sells a consumer product should not require you to reveal your annual household income as a condition of selling you the product, although it may still ask you to provide such personal data as an optional field.

If the organisation wishes to collect any additional personal data, the organisation should provide you the option of whether to consent to this.

Generally, organisations may continue to use the personal data collected prior to the effective date of the data protection rules, unless you withdraw your consent (if consent had previously been given) or indicate that you do not consent to such use of the personal data.

Consent will need to be obtained if the existing data is to be used for a new purpose different from the purpose for which it was collected, or if the existing data is to be disclosed to another organisation or individual, unless any exception applies. These exceptions are set out in the Second, Third and Fourth Schedules of the PDPA respectively. This includes exceptions catering to certain emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes.

For example, if a company has been using your personal data to provide after-sales customer support prior to the PDPA, it can continue to do so after the PDPA comes into effect, even if it did not obtain consent previously. However, if it now intends to use the same personal data for direct marketing where it had not collected the personal data for this purpose, consent will need to be obtained for such a purpose. If the organisation wishes to use the personal data for telemarketing, it will separately have to ensure compliance with the DNC provisions under the PDPA.

Generally, organisations may continue to use the personal data that was collected prior to the effective date of the data protection rules, for the reasonable purposes for which the personal data was collected.

Generally, the security guard should inform visitors of the purposes for the collection, use and disclosure of their personal data and obtain their consent. Even if the visitor does not expressly consent, if the visitor has been informed that his personal data is required for a particular purpose (for example, security purposes for entry into the premises), and he voluntarily provides the data, the visitor may be deemed to have given his consent to the collection, use or disclosure of his personal data for that purpose.

The PDPA requires (amongst other things) that an organisation only collects, uses or discloses personal data for purposes that a reasonable person would consider appropriate in the circumstances and also make reasonable security arrangements to protect personal data collected in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

If you are unable to find an answer to your query, please submit your Feedback to let us know how we can help you.